In most cases, IPMI/KVM access is restricted to an internal management network to provide better protection than exposing it publicly. However, the downside is that it makes it difficult to access in case of an emergency. In this article, we will see how to tunnel traffic through an SSH connection, allowing us direct access to the KVM of the private network.

It seems that each KVM opens different ports for its operation, so first we will find out the correct ports by scanning with Nmap. We do this from the intermediate jump host:

Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-16 22:05 UTC  
Nmap scan report for IP_LAN_KVM  
Host is up (0.0012s latency).  
Not shown: 65523 closed ports  
PORT      STATE SERVICE  
22/tcp    open  ssh  
80/tcp    open  http  
111/tcp   open  rpcbind  
443/tcp   open  https  
623/tcp   open  oob-ws-http  
5120/tcp  open  barracuda-bbs  
5123/tcp  open  unknown  
5124/tcp  open  unknown  
5127/tcp  open  unknown  
5988/tcp  open  wbem-http  
7578/tcp  open  unknown  
7582/tcp  open  unknown  
50000/tcp open  ibm-db2
  
Nmap done: 1 IP address (1 host up) scanned in 6.22 seconds

Now that we know which ports we want to tunnel, we proceed to do so. As root on our PC, we execute:

We add the loopback IP to the Java exception list:

Now we can access the web interface to download the Java applet. From Chrome, we can log in to the web interface:

But when downloading the applet, the following error appears for some unknown reason:

However, Firefox does not have any problems:

Now that we have the jnlp file, we launch it with the script from this previous article :

In the following screenshot, we can see the Java applet starting from a Gentoo ISO:

Surely, through tools like sshuttle, the process could be a little more transparent, but it seems that sshuttle has some problems in FreeBSD, so I have opted for the most generic approach, Ssh. Another option would be to install a VPN, but the fastest way is to use Ssh since no additional service needs to be installed.